[BUG] - Add S3 Repository for AWS missing role_arn option

[gw-bcharboneau]

Description
The UI does not allow adding an S3 Bucket Repository on AWS Managed Clusters because it is missing an option for settings.role_arn
The Following Error is presented:

{"Message":"settings.role_arn is needed for snapshot registration."}

Steps To Reproduce
List the steps to reproduce your problem:

1. Open elasticvue
2. Click on Snapshots
3. Click on New Repository
4. Fill out info, selecting S3 for repository type
5. No option to add role_arn is avaialble
6. Click Create
7. see error in bottom right corner

Screenshots

Environment (please include the following information):

• Elasticsearch version:
• Elasticvue version: 1.0.3-stable
• How are you running elasticvue? Desktop and Firefox Extension
• Screenshot from windows desktop app

Additional Info
here is an example json body that gets sent to an AWS Elastic/OpenSearch Cluster to create a repo that uses S3

{
    "type": "s3",
    "settings": {
        "bucket": "{{Bucket}}",
        "base_path": "{{SnapshotName}}",
        "role_arn": "{{RoleArn}}",
        "region": "{{Region}}"
    }
}

there are also other optional settings such as 

- "readonly": {true/false}
- "server_side_encryption": {true/false}

[cars10]

Can you provide documentation for the role_arn option? This does not seem to be listed anywhere in the docs.

[gw-bcharboneau]

sure See Step 2 and select Snapshots as it may default to encrypted snapshots
Creating index snapshots in Amazon OpenSearch Service

[cars10]

Thanks, so we are talking about opensearch and not elasticsearch. I will add this to #191

[gw-bcharboneau]

It’s ElasticSearch too. If it is hosted on AWS, they renamed their service to “AWS OpenSearch Service” but it encompasses both (ElasticSearch Version up to 7.10) and (OpenSearch 1.x and 2.x). they changed their Service Offering Name, and started pushing opensearch because of Elastic changing their licensing model after 7.10.

I have had to use Postman to add a repo with role_arn for all of my clusters even going back to version 1.5

[cars10]

I know the history of opensearch. But i am not able to find the option role_arn anywhere in the official elasticsearch docs, thats why i assume its opensearch only.

[gw-bcharboneau]

it is because it is a customization that AWS made to allow users to add a repo that uses S3 without making the S3 bucket Public. it has been there since version 1.5 on AWS Managed clusters only.

The IAM role_arn is used to authenticate the cluster to have access to the S3 bucket

Here is an example IAM Policy that would be attached to the role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-elastic-search-repo",
                "arn:aws:s3:::my-elastic-search-repo/*"
            ]
        }
    ]
}

and this is the trust policy that allows it to be used by elasticsearch

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "Service": "es.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

[gw-bcharboneau]

using a role allows you to bypass storing access key and secret in the keystore as it generates temporary credentials, when the role is used

[gw-bcharboneau]

this is literally all i run in postman to setup a private s3 bucket as a repo

with that i get a valid repo that i can send snapshots directly to and i do not have to store credentials anywhere

[gw-bcharboneau]

All I am asking for is an optional parameter for IAM Role Arn for AWS Managed clusters. is this something you would be willing to look into? Using a role is much more secure than an IAM User with an Access Key and Secret. I am more than happy to help test a build if it gets added.

[cars10]

I will look into this. In the meantime, you can always use the rest page to manually run queries as you do in postman.